From patchwork Mon Nov 24 11:46:28 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "MOESSBAUER, Felix" X-Patchwork-Id: 322 Return-Path: Received: from shymkent.ilbers.de ([unix socket]) by shymkent (Cyrus 2.5.10-Debian-2.5.10-3+deb9u2) with LMTPA; Mon, 24 Nov 2025 12:47:05 +0100 X-Sieve: CMU Sieve 2.4 Received: from mail-ej1-f64.google.com (mail-ej1-f64.google.com [209.85.218.64]) by shymkent.ilbers.de (8.15.2/8.15.2/Debian-8+deb9u1) with ESMTPS id 5AOBl54g030379 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 24 Nov 2025 12:47:05 +0100 Received: by mail-ej1-f64.google.com with SMTP id a640c23a62f3a-b7178ad1a7dsf195913266b.1 for ; Mon, 24 Nov 2025 03:47:05 -0800 (PST) ARC-Seal: i=3; a=rsa-sha256; t=1763984819; cv=pass; d=google.com; s=arc-20240605; b=FzGjSWjLFu0xmwUZ2DDzhwyGrnxTGa1siC+AJm++8bd530iGhUxy1U+v8tt26Lky4j e7zWC1rhkp9GlEuNfc6aUY734MAWI/nrswLMYy9r38Q1jeQ6VBEREwj2oLslxw0xj0Pa BkqcbuOO1JspHV0az6zvk0PzH+1gXPge2su8oAb4exocUdO8N1kHJNFad6U8OgMERBkJ xcbGxUmnxUuAyfWhqhz6dk4C82qKhuJv1clPWfaZVK2l7tDOuyb2yMmVc4mNX/bvpJ/0 zispb4XIuG5ATHtOaoprGNGcvwc7JYdBLsQ/EVsjZa/I3963d7fMm+Enz0XcSi00wVlV TaLQ== ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to:mime-version:message-id :date:subject:cc:to:from:dkim-signature; bh=dEgfpbx7tBQVZrrBWK2yGYVOAtUwvLjWbRhDSV5Ei+4=; fh=PIaQumQqB9+FseaRKreMTjh+c3t0yzDVA4EeB0dXtSc=; b=f3SIUJ276Ch2Dfi7MyfBXkjCFrZCnUQlQS9yMGepAdguiR05Ch4WsejhFQ4K+6Ot/x nINCCCVMlqpewWYIq6Wk0LSUsBM399SQnTFQo6dXnOCyIG8Dl2suA1SZqh4ERu79ZKqY 1iaY13VWwPAmgPLFLp9J13ftQ2gBUifyaMfIU7q5FHxaFuXFQJbKUmMLY+CmEM3GG8f6 S9j40RfNr5ULPIkE6clOFktsP6rCwQDoR8Z9TxoGnVv1B09bZTGmJ0ZPUfW9orGYQNeY +olrIiJ8+bEgkL692B2UasdCzopYKh5rVuVi/AZsLufgV1wEyNyi9Wqa9o7mcumaTDt5 v4qA==; darn=isar-build.org ARC-Authentication-Results: i=3; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=mYZuNY1g; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlegroups.com; s=20230601; t=1763984819; x=1764589619; darn=isar-build.org; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=dEgfpbx7tBQVZrrBWK2yGYVOAtUwvLjWbRhDSV5Ei+4=; b=tr7eNHf5bt2MdBy/UTFm+pKzf+eYQBLakr2ntwaNAMDlDJL20ps4oFsBXhrUEDCmCk QrVQ4eoXumBrg9Q/hq0En3feaPYmb68dc+QPkyVGzYNtwhsxQnzYn7pWIz4Rul1DuKJI 65DN1gQfdO8Z3sAAJB/1qibXQ411o3ohEHSK4SEJd0DkOwggmYfrc6+hC2ZnaTx5DUmG gmoWREHnZD2Bx+RHKcQwarIXa0QkInXqA17G9uXjwH8HLXNk3sv53elC7Wn0NuJIrYqw 5tVu9wbWpGPVAjk5sFjGAg/tDfmb1C7t5PL8jvuWLDSb+GlCf03gB5n0BiqWPgQ5zL2S Me8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1763984819; x=1764589619; h=list-unsubscribe:list-subscribe:list-archive:list-help:list-post :x-spam-checked-in-group:list-id:mailing-list:precedence:reply-to :x-original-authentication-results:x-original-sender:mime-version :message-id:date:subject:cc:to:from:x-beenthere:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=dEgfpbx7tBQVZrrBWK2yGYVOAtUwvLjWbRhDSV5Ei+4=; b=S+0e3b5jsIo1HhAKiznU8xbJvD3lopTA5NIHLrXiDvfVYrjXpv4N3txd1gnYuxwVR5 rDcP99qVJGq37cERDthMw/CYakKxQ6BKEz8bvmBSVp9oDXiNvVjJaQBPzxKwv9ES17ef 34wz563Uotxm9dDo3ik0rU5VvP/k+J55W9jnmfmx3czFFw0BYiuyyLrlxEZxl+gQy1Ct Fji2raIQ6grJZ+mdqNdHqPZJifIg05xoBJHbJTBRuInzea6kjT7paoO9aqYy1RDH7wba bLUcyIsSHXDmwGuvBhRNjYsEttzXknkq0enKT0awr4SwNNGiC2bnVuKBDN8J/igRNOhg 8xmA== X-Forwarded-Encrypted: i=3; AJvYcCUgQIoYT3TF3D0jmKKh2OlS+0JH1PZuYB+v1ktFKdcxh3HiRZfiD+8us1V4x+TbQUP+6KssXls=@isar-build.org X-Gm-Message-State: AOJu0YwXnb18qG1Y/ReIa31voVal9/bmvr1nPFpRq9H2MZAIrv+WhnjJ wJOtbO/Yg+USPYrLIJ8u2av+8adJEP6zeGt88j4mEJwZgAY/kpupG2HS X-Google-Smtp-Source: AGHT+IF4MThVf20aRsuZGp3Ggh1CMhPuMuBhP1SX3+s624cAJ2gYN4zNtEZWV1lMCHZyCFgPcNNybg== X-Received: by 2002:a17:907:d08:b0:b73:3e15:a370 with SMTP id a640c23a62f3a-b76719d0675mr1204344266b.57.1763984819372; Mon, 24 Nov 2025 03:46:59 -0800 (PST) X-BeenThere: isar-users@googlegroups.com; h="Ae8XA+Y0uG5j4qXCC1tXJ9eTmwpjN2RxRmIzuMzxVO9d7QU/WA==" Received: by 2002:a05:6402:516c:b0:644:fc0e:254 with SMTP id 4fb4d7f45d1cf-6453636cbc3ls3181310a12.0.-pod-prod-04-eu; Mon, 24 Nov 2025 03:46:56 -0800 (PST) X-Received: by 2002:a05:6402:84e:b0:645:2add:9301 with SMTP id 4fb4d7f45d1cf-64555d0ac62mr9375746a12.34.1763984816385; Mon, 24 Nov 2025 03:46:56 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1763984816; cv=pass; d=google.com; s=arc-20240605; b=DEen8fQXA1taorRJa0mthwzWZw+aKgQZR3nnYqEYgtrTo0CvGuJm0mnLnozrPfTPn0 c7RQZrcRzm3XRSea4UvX6Nvqeggl0ZuNSqOZ1US7LeDw/O/74slE0yGjfI9/cbf2BZJo r41gjEGsNp1u42I96CTBdYx6oEroabOLzB7fsz7y6tCMga4A+30Z5NBQATPIjmoCvB8K drvuKqIg1/UGTPTY2jUOGegXqJAlm1esKcPjNItohbRNpuQvg2+UaeBbNUBuIlLRVMwO 9TH8DYK4X6lYrnbtSDZVceJC9KF7jaDE5oNfvyNOHnZkrqB3+EBWD7NkqqFmVW9qyH4J 8k9g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=mime-version:content-transfer-encoding:message-id:date:subject:cc :to:from:dkim-signature; bh=K8xfF3HCQpHW+cM7N06ZQf9N07yrlllNeOXpZ4eCJu4=; fh=YgHcU2amhotomeH1Rv2VyUlgPjm8wpulXwrBvcHF4rI=; b=dTOhYbjdpa/KtYK7Roo4PckvEcc7UPG6p2XHWpifAE4e1PXBbJ89s/v04DzsOVEfVF HbWesiOzBVkl1BwTJq7u/gKJvNXY4PzMjmk3kb78px/MTeHnNr2+qqRD7OU3Y+iu1mwo NzlBqX0ME4rk2NNFwh2VxL/9adEKcoPVYcuMHTNhGxe9fWVVeZb9rQ24KCWDKDpR9Ji0 4lJEMbIpJo2vsWK81wmz6KDomB/KORY8gj5/YSQGvVid4axl9v8E3DcYps+Mx5cR6Q4L Ptb9jy7mdL8NZXf9IIpCTdkq0rW12XForYVQfdVwZMMvDNaaOxbqBr28YYbvE9hXYEtX J97A==; dara=google.com ARC-Authentication-Results: i=2; gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=mYZuNY1g; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com Received: from AM0PR83CU005.outbound.protection.outlook.com (mail-westeuropeazlp170100001.outbound.protection.outlook.com. [2a01:111:f403:c201::1]) by gmr-mx.google.com with ESMTPS id 4fb4d7f45d1cf-645363aa5f9si273094a12.1.2025.11.24.03.46.56 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 24 Nov 2025 03:46:56 -0800 (PST) Received-SPF: pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) client-ip=2a01:111:f403:c201::1; ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=i7Zi/QN0q9Nb52AJyd2+I3UEn+yevzjXRvtq3NOkJC6s/DXHvioyB86kxadxYSr03km9RbeSUhmGJX2VHbQ4v+Lf/Ahgak9cA4XYzaqPS7BT+zhAgP2hdD2KA+lvKqP6PbBJFIPch3E0ChQ8+Ub7p+Kvtpk+RR3ARlgJQafONBpgmYXuD5K+IDimELoCQlMQorAQAfYPC8ofJUbSl683JHOOUALt/Y1xj6plwceXEnyoUDOujFom8cwr0As0Dc6HmRjzve2WGcmVL5nt9ydVwJCnXiXvduCKIgm/ADD9hjX/cJ6id8O2xMj4UZOrbm8Uvi3JHsJbhXdhYztMaFj3Mg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=K8xfF3HCQpHW+cM7N06ZQf9N07yrlllNeOXpZ4eCJu4=; b=jcTuRHCm9jkajqguf2NCSrEzL5WcH87emHvIvg+FhowhitcZCq1wQ0r5zb91O6TOoruQqGx5n7xxsjxBl6WvPLZzDIH4B2pdwkZxhCZN6Uu15zYWVuFnxWzRKggPdF//C0do0MOHl9+i8OoV+JZHOAopRMbbTWQ3wzNtKkg/Z2y95zlCXe3BioSE2WjST2balGwWCO8H93ls9Tpvy4fSNHWEYc8WFxnY3ujVceAuJv4+Qc4zqFpYf4rsihI/YDUKM8Be962nZ8YIPazFJRJ5L5nutCyHHkXmrFNECTgocJqXkZROfvRK6bUl7UqO4eiI62QrVQb1hejGt7EkzMMFEQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=siemens.com; dmarc=pass action=none header.from=siemens.com; dkim=pass header.d=siemens.com; arc=none Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) by PA2PR10MB9116.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:102:41e::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.9343.17; Mon, 24 Nov 2025 11:46:55 +0000 Received: from DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe]) by DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM ([fe80::8198:b4e0:8d12:3dfe%4]) with mapi id 15.20.9343.016; Mon, 24 Nov 2025 11:46:54 +0000 X-Patchwork-Original-From: "'Felix Moessbauer' via isar-users" From: "MOESSBAUER, Felix" To: isar-users@googlegroups.com Cc: christoph.steiger@siemens.com, cedric.hombourger@siemens.com, jan.kiszka@siemens.com, quirin.gylstorff@siemens.com, Felix Moessbauer Subject: [PATCH v5 00/10] Add SBOM generation with debsbom Date: Mon, 24 Nov 2025 12:46:28 +0100 Message-ID: <20251124114638.2238090-1-felix.moessbauer@siemens.com> X-Mailer: git-send-email 2.51.0 X-ClientProxiedBy: SG2PR04CA0182.apcprd04.prod.outlook.com (2603:1096:4:14::20) To DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:10:47f::13) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: DU0PR10MB6828:EE_|PA2PR10MB9116:EE_ X-MS-Office365-Filtering-Correlation-Id: 62c22f26-718f-4f6f-5f9d-08de2b4f2a53 X-MS-Exchange-AtpMessageProperties: SA X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|376014|1800799024; X-Microsoft-Antispam-Message-Info: 85RqR9Ymxv/AuILNB7ydAOrOA26hl0zHhCilvFYie5Vkx0FfzKPBd9V5a7NpyVX1IA06uBP0vvLMwUgcBhZf0rDmuPLK/nraE/uc1eJtbtDyk7KkbylziSPkveGkqBaeuoFE/Do8D9x213Ss+Nt8d7my9JdIosK6fJfL3/Elv0PWvW1tarfmvRd2qLAW65099UbJmakUin+T3bFcsxXcoNDEMGZLpmFURKGLSPQG4njvqozxmplcMv8K7tGvGpcpWZjBTC5a4bxUAATJWzXLx3Fc4PztsM+c7zX0YtN8M2ZpZr9lmM7TtgsA0Qsiqvnq1Fvslw0192AawJY5fDoj9qL7gcs8oBl0Z+6as5uUCGJsjYmTD5tEgGVO0zQBMAgKUBuXyX2HKJWxThST9XhNZ78TNDivb5WyZ2pQHJrlwOdV0/SY8FWrh/oKyDYDSwkDJcWafjKJssFZhD7igUkXOm5GjVAIVPqMFI/qE3z+Fsa457+6Q3DEu0Z82hZC6BNZc3l8a09vmCezxIBK4CF6h97I++WK9Sb10pyLU24EEQKnY8y+ahRJGfiTWgUVSL8clBEAR+u7hZ+/0LiqWm3THdlLcPOCU/js/Z6kAT06ScjWUNxqu5WrdhJ5I2/rF29U5Xq4cAG5P5Hi+W9royMjdoXoTHmVMunMpz4DvMZ3zEv6VeVcCdU9S7bMmxn1Y8L0MPhpPs+NA/+cQ/UbQ+kZ+/GM36StasOpwzwr3zF6TyufFCLpLSXvo5A4OM6oq8IegV/5JJ3kTCbvm6PWjcIt0f0kxFIJGa+xUwmOkthWsAHLX9ah+zlREjICxS4aFkt/I0H09u5fm0PkJP3ZI+eYCwxHp+0OkI/WmD9rTe3oXSXgWwaPr6sdPIogfprzh49hbIDbHT/Kl6eDKl7KeRw+v+9bKFummuiFnX90w4D71EMmH9rjBMsO7OBMSRRKWNwSnrS8nmISUg2YnRiX5HwDphSqNP/4SPv4M8ZGevzhjNKNZQx0QZr6JqeKvyQ1ovLbV+/OB1H7qhA/rdnlcC1ypL2kU5JvqbsPE1xgiVxf2d+kxraboZFGAPHPxvtpMuF6GzM+7xwy0PYZlFSFfOckeu0Z+qBLDE/wrGFawZjgAHXuLUgPHEGl4fdj8aEcSjVCNihmq0ICgQwP+sH5BTNSkJZvGdcv5tli/UxlBgEX20dp26kvVCQvfcgeUS1Q3ej1Tqu3siXkU9LmY+TVl/SOIUjh2QrxzWMnnx7uhLNTfhdQCaPfhXJLGb9bkJrw4Q31mmFE/NscuWztO24R0NOZ8qo6seicX9GcoJ/VDNLRfevFu9bcaLPQmrMsYhoZWZk8RF6dN45IxyNkpdpDbHx9qNygGPh01QHdtpuQKU2R+cmYrpJF8AcTi1BqXrUK006O95GV7RJkoiVexTtX6rysyw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(376014)(1800799024);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: j5crzvPXChTlLhixpT3Kjp+G+YqKwlFbGZjXhSaTUKirLvKvLed+hQg1B+888TOFJZW3DMEGdQ98YXQdOBQ+Kc5UGmJz2ipcN5HnE1rC0wzxv2RU6BuPBMZ48XiJMFhYx3rZvGlbktXTy/p9YQ7IkMwAE05g9PfGpTyMliqOeBXfVXP0Vm3e5CaXPfj1Y7DPcFiIilonMskMQwtZMtJTCpxNn6zjvgWeZ1/AkOYIudF/untKITZirc02fnoa97dF6F0tTtsMB34yspGABKKGfeRo2oHOj8AvSq7hzADByCcQwWYhxPJ+Qr0rd6xEK3PDk/aE5LeDGaweGvsnPmcbMr67GZn6H/N5oSJ97C6d4yiNKWlDWDCWXj6dYjaTk8TvCRtWYfiA7d3rvf6M9b9GEPPsmyq8DYi/hyIFwY40eZmYvTWTkoTyRm0d3d9svD4gGhoijg+O2bJJd5lhXBldgu4LrOPlLH8ysyK7a8gmlyEHH90H0xIREqfLvaMuAbG8iHyO9bXcKm4g4A0W8LvqRm4UYvwYY2c4W61JQxNaY35KPD915pRCcaFKIfT5Z/B/ZYcNuS5YwOOvSm1k+DWsfR5Y14Vh55FMC8ig69/A3J4KiT5CUJXRzZH20OqlxxxUf8/Y8IJHImtsb3Dlj4NFWZ8heTuKI+g56xoVyV979eqZGQAQIPGBdxD7ORnILAYZE/cvw0+qOCpWFSf/rNhaA9GmV5DA6ZKquWWBsXc2j1O3KrnAWCCVzdvuA8Ut0o/VnBLxvUIvv+xQk3qOXgCobCWXt+xcfrwaOq0Pi9Zjd0fmpjhG21aMrKCFt1UsxWpFiH2ltjxohPV8FSFYuK1Rzz783gMxFiXy0m4VqYaIEUWJFsvfwbQZaJT0wX+qg0gwCpsmKSsAqLEcVJLKLda6w1bfA2mbNKNSRvFHXWGHIWpJp2aCjOY97LUHJwoz4HnTeY1n/JIb8t7yM51+tWzhpCSaoR/qu8qs6T1U9AXx1H27iInjIf+BLQRwzLxWM29KNcplWDI3Sny8mmJEjni1py86rd5e9z0um3mXdl+GMWPljIskTA5WMgTjGDnFm9ngi94L+acJsuSvpxIOZrNq4ERtZgY0i3hbG3YsOnuXjvrE/Jg7oHOW1j2ou6h/PT+i0ag0mzsKuZJByLbHa48M3fseIHNtWO8qaLKgn/UYVOo7zNYDuZg1O4CoNTn0tUjzl333kQ5tCflswYr9XE8bis/rSC2cvH3jIYwG2eESdOSTBrQlfybNyCdQ+0u0WVDnf5bxW/rWJRZ3BLQeLgWslrswtYTyXwQ4HfseOYTrNfeENQDH855QCFTApvc9rZdHPpZ09+Fsq9mkXGxTj25eeFfwX2cLMzomup8/KHm3lFscIEkUkmxi/JrozahXargpWLpHCoxIaVMvT4tYo9fqKOmonlqt9lHSpGE6hALI+LQYpOscqh10CClkdcM/cLMyLfl3pP7ZsJuNlVlwSzwKM1c9pB4RGP6BOEXQbcGMe6Qut7K2O6pp3rt6WxZilMWuMtkMMGTrVNQbKLY0mR5Y5Pj5MBmpQms1cwyOPG3DZU1mwwZPM5wLkXWQUdhKvBlR7xRXJqTEf86VX3Sf+d7G9A== X-OriginatorOrg: siemens.com X-MS-Exchange-CrossTenant-Network-Message-Id: 62c22f26-718f-4f6f-5f9d-08de2b4f2a53 X-MS-Exchange-CrossTenant-AuthSource: DU0PR10MB6828.EURPRD10.PROD.OUTLOOK.COM X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 Nov 2025 11:46:54.9331 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 38ae3bcd-9579-4fd4-adda-b42e1495d55a X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: d+Kniy9mqOYBIkQcljH+RemHRKQ59kCYQeQoNgbPRCCe3odW8FUHdzuCkSsndmUCbq2VZNaDWDX3ThzRjHRKCPLwiNtMhImLnsFXbYXIFms= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PA2PR10MB9116 X-Original-Sender: felix.moessbauer@siemens.com X-Original-Authentication-Results: gmr-mx.google.com; dkim=pass header.i=@siemens.com header.s=selector2 header.b=mYZuNY1g; arc=pass (i=1 spf=pass spfdomain=siemens.com dkim=pass dkdomain=siemens.com dmarc=pass fromdomain=siemens.com); spf=pass (google.com: domain of felix.moessbauer@siemens.com designates 2a01:111:f403:c201::1 as permitted sender) smtp.mailfrom=felix.moessbauer@siemens.com; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=siemens.com X-Original-From: Felix Moessbauer Reply-To: Felix Moessbauer Precedence: list Mailing-list: list isar-users@googlegroups.com; contact isar-users+owners@googlegroups.com List-ID: X-Spam-Checked-In-Group: isar-users@googlegroups.com X-Google-Group-Id: 914930254986 List-Post: , List-Help: , List-Archive: , List-Unsubscribe: , X-Spam-Status: No, score=-4.9 required=5.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,RCVD_IN_RP_CERTIFIED, RCVD_IN_RP_RNBL,RCVD_IN_RP_SAFE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on shymkent.ilbers.de X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= This patchset adds proper SBOM generation in the two standard formats SPDX and CycloneDX during the rootfs generation process. The generation is itself is handled by a SBOM generator `debsbom` [1] which is developed as an open source project at Siemens. It is still early in development, but it has enough features for what we require in isar. The required dependencies which are not yet available as Debian packages were minimally packaged directly in isar too. This is a followup of the previous RFC [2]. Since then the series has changed a lot. The SBOM generation was moved from a simple OE lib to `debsbom`. This also meant the introduction of a separate chroot was necessary. The SBOM generation process was also moved from the image step to the rootfs step, along with a lot of minor changes and improvements. [1] https://github.com/siemens/debsbom [2] https://groups.google.com/g/isar-users/c/8L-CF4BJY0I/m/p0N3o_zfAAAJ Changes since v4: - rebased onto next - fix race condition on creation of ${DEPLOY_DIR_SBOM} (aka ${DEPLOY_DIR_IMAGE}) Changes since v3: - fix issue on external bullseye initramfs (we now disable sbom generation on all unsupported distros rootfs instances) - update debsbom to v0.4.0 - rebased onto next Changes since v2: - fix issues when HOST_ARCH != DISTRO_ARCH on derived distributions - update debsbom to v0.3.0, which fixes the Origin: bug reported in v2 - generate SBOM for imager as well and create merged sbom of .wic image - resend imager manifest + wic manifest patches to reduce conflicts Note, that the patches p1-p5 are most important as they add basic SBOM support. The remaining patches address the imager + .wic bom part, which also can be merged later on. Changes since v1: - remove tarball - refactor packaging (auto-derive python dependencies) - only build missing packages (varies on bookworm, trixie, noble) - add ubuntu support - only generate sboms for supported distributions (bookworm/jammy and onwards) - update debsbom (includes bug fixes and more information for source packages) Christoph Steiger (3): meta: package python libraries for SBOM generation meta: package python3-debsbom meta: add SBOM generation with debsbom Felix Moessbauer (7): refactor: move get_rootfs_distro from sdk into rootfs override distro vendor in SBOM on Ubuntu add support to add imager dependencies to BOM wic: create uniform manifest describing all image components qemuamd64: add IMAGER_BOM entries imager: create SBOM of IMAGER_BOM packages wic: create uniform SBOM describing all image components doc/user_manual.md | 1 + meta-isar/conf/distro/ubuntu-common.inc | 2 + meta-isar/conf/machine/qemuamd64.conf | 1 + meta/classes/image-tools-extension.bbclass | 29 +++++++++ meta/classes/image.bbclass | 7 ++ meta/classes/imagetypes_wic.bbclass | 30 +++++++++ meta/classes/initramfs.bbclass | 3 +- meta/classes/rootfs.bbclass | 23 ++++++- meta/classes/sbom.bbclass | 65 +++++++++++++++++++ meta/classes/sdk.bbclass | 10 +-- .../sbom-chroot/sbom-chroot.bb | 30 +++++++++ .../python3-beartype/files/rules | 8 +++ .../python3-beartype_0.19.0.bb | 29 +++++++++ .../files/pybuild.testfiles | 1 + .../python3-cyclonedx-lib/files/rules | 8 +++ .../python3-cyclonedx-lib_9.1.0.bb | 48 ++++++++++++++ ...icense-description-in-pyproject.toml.patch | 28 ++++++++ .../python3-debsbom/files/rules | 8 +++ .../python3-debsbom/python3-debsbom_0.4.0.bb | 45 +++++++++++++ .../python3-packageurl/files/rules | 8 +++ .../python3-packageurl_0.16.0.bb | 33 ++++++++++ .../python3-py-serializable/files/rules | 8 +++ .../python3-py-serializable_2.0.0.bb | 38 +++++++++++ .../python3-spdx-tools/files/rules | 25 +++++++ .../python3-spdx-tools_0.8.3.bb | 46 +++++++++++++ 25 files changed, 523 insertions(+), 11 deletions(-) create mode 100644 meta/classes/sbom.bbclass create mode 100644 meta/recipes-devtools/sbom-chroot/sbom-chroot.bb create mode 100644 meta/recipes-support/python3-beartype/files/rules create mode 100644 meta/recipes-support/python3-beartype/python3-beartype_0.19.0.bb create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/pybuild.testfiles create mode 100644 meta/recipes-support/python3-cyclonedx-lib/files/rules create mode 100644 meta/recipes-support/python3-cyclonedx-lib/python3-cyclonedx-lib_9.1.0.bb create mode 100644 meta/recipes-support/python3-debsbom/files/0001-Use-old-license-description-in-pyproject.toml.patch create mode 100644 meta/recipes-support/python3-debsbom/files/rules create mode 100644 meta/recipes-support/python3-debsbom/python3-debsbom_0.4.0.bb create mode 100644 meta/recipes-support/python3-packageurl/files/rules create mode 100644 meta/recipes-support/python3-packageurl/python3-packageurl_0.16.0.bb create mode 100644 meta/recipes-support/python3-py-serializable/files/rules create mode 100644 meta/recipes-support/python3-py-serializable/python3-py-serializable_2.0.0.bb create mode 100644 meta/recipes-support/python3-spdx-tools/files/rules create mode 100644 meta/recipes-support/python3-spdx-tools/python3-spdx-tools_0.8.3.bb